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Abstract 

This paper will investigate the application of embedded 
systems in current state of the art vehicle stability systems. 
For clarification purposes, the focus will be on those systems 
similar to ESP (electronic stability program) originally 
developed by Bosch in 1995. The overall emphasis of this 
paper will be to examine these automotive systems from an 
embedded systems point of view. 

There are several key issues pertaining to embedded systems 
in vehicle stability control addressed throughout this paper. 
The first issue addressed will be state of the art electronics 
used in these systems including controllers, actuators, and 
sensors; then followed by the issue of operation of the 
stability control electronics and the way they interact with 
other vehicle electronics such as engine control. The third 
issue is the control algorithm and architecture that operates 
the system. 

This paper will also analyze the limitations of these vehicle 
stability systems, possible sources of system failure, as well 
as what is being done to prevent such failure. In addition, 
this paper will investigate the future trends in vehicle 
stability control and try to determine future developments in 
vehicle stability control. Finally, the advantages and 
disadvantages in terms of safety and performance are 
discussed. 
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Introduction 

Embedded systems play a critical role in vehicle 
stability control systems. By examining current state of 
the art systems like Bosch's ESP in great detail, the 
impact of embedded systems for this automotive 
application can be understood. 

One of the biggest technological advances that have 
made systems like Bosch's ESP possible is the wide 
availability of automotive electronics. Electronics such 


as electronic control units, steering angle sensors, 
wheel sensors, lateral acceleration sensors, yaw rate 
sensors, and engine controllers have made the 
development of vehicle stability systems possible. In 
addition, the ability to connect these electronic 
components over a high speed network has aided in 
the development of these vehicle systems. 

The electronic components of ESP work to stabilize a 
vehicle in a critical situation and prevent it from 
steering are out of control. The system operates 
through a series of high speed digital messages sent 
from the sensors to the control unit, and finally to the 
actuators. In a matter of milliseconds, these components 
assess the status of the vehicle, determine any 
necessary corrective action, and initiate that corrective 
action by applying the brakes and controlling engine 
torque [Van Zanten et al. (1999)]. 

The fundamental control algorithm utilizes the data 
flow among all of the electronic components to assess 
the vehicle's behavior, determine if any changes need 
to be made to the vehicle, and control the components 
responsible for altering the vehicle's behavior. The 
primary goal of the control algorithm is to compare 
the actual behavior of the vehicle with the desired 
behavior, as well as to determine what needs to be 
done to make those behaviors equivalent [Van Zanten 
et al. (1999)]. 

Electronic systems have greatly improved the safety 
and performance of vehicles. With such systems, there 
are some inherent limitations and problems including 
increased risk that must be addressed by system 
designers. Because these systems are critical for safety, 
special steps must be taken to ensure the systems 
reliability and fault tolerance. 

In the past twenty years, the automotive industry has 
seen vehicle safety going from anti-lock brakes, to 
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traction control, and finally to stability control. 
Stability control is a technology people could have 
never dreamed of 40 years ago. However, recent 
developments in other vehicle applications such as 
brake-by-wire and steer-by-wire are continuing to 
push the capability and performance of vehicle 
stability control forward. 

Finally there are many advantages of a system like 
ESP, including vehicle safety and improved control in 
inclement conditions. While the introduction of 
electronic control into more and more vehicle systems 
offers significant improvements and advantages, there 
are inherent risks and problems associated with this 
progression. Issues related to decreased driver control 
and consumer awareness need to be addressed when 
vehicle electronic systems like ESP are in development. 

ESP: Past, Present, and Future 

The history of vehicle stability control can be followed 
simply by investigating Bosch's contributions to 
vehicle electronic systems over the past 25 years. 
Bosch has led to the development of vehicle stability 
controlled by introducing 3 fundamental systems into 
the market: anti-lock braking (ABS), traction control 
(TCS), and electronic stability program (ESP) ["Bosch 
Braking Systems", http://www.boschautoparts.co.uk]. 

The development of ESP began in 1978 when Bosch 
introduced the world's first anti-lock braking (ABS) 
system ["Bosch Braking Systems", 

http://www.boschautoparts.co.uk]. ABS was the first 
step in vehicle stability control. By means of an 
electronic controller integrated with the brake 
hydraulic modulator, this system increased vehicle 
stability during heavy braking by preventing the 
wheels from locking up ["Bosch Braking Systems", 
http://www.boschautoparts.co.uk]. This system is 
especially effective when braking on slippery surfaces. 

ABS functions by using the wheel speed sensors to 
monitor each wheel and send that information to the 
central ECU. If the ECU detects an indication of wheel 
lock-up based upon the speed of each wheel, it will 
use the hydraulic modulator to adjust the braking 
force applied to the desired wheel [Cage (1999)]. The 
greatest level of benefit will occur when ABS is 
utilized on slippery surfaces. There are three primary 
objectives of ABS: reduction of stopping distances, 
improvement on stability, and steerability during 


braking [Cage (1999)]. 

The next step in the development of vehicle stability 
control was the introduction of the traction control 
system (TCS) by Bosch in 1987 ["Bosch Braking 
Systems", http://www.boschautoparts.co.uk]. The goal 
of traction control is to stabilize the vehicle during 
acceleration by preventing the wheels from spinning 
out of control. TCS also seeks to improve traction of 
the wheels while accelerating. TCS used all of the 
same components as previous ABS systems with the 
addition of engine management [Sauter (1999)]. 

By selectively applying the brakes to wheels that are 
slipping, TCS is able to increase the amount of traction 
for that wheel. This is especially important when the 
wheels are on surfaces with varying levels of friction 
[Sauter (1999)]. In addition to using the brakes to 
control traction while accelerating, TCS also utilizes 
engine management to control the vehicle. By 
communicating with the engine controller, the TCS 
system is able to control the amount of torque that is 
sent to the wheels. If the system detects that a wheel 
has almost no traction with the road and is simply 
spinning, the TCS system is able to greatly reduce the 
torque delivered to that wheel. The engine 
management system adjusts the amount of torque by 
controlling the airflow to the engine (throttle control), 
the fuel injection, and the spark timing [Sauter (1999)]. 
By adjusting all of these elements, TCS is capable to 
greatly increase or decrease the amount of torque 
delivered to a wheel. 

Engine management is a tremendous advancement in 
vehicle stability because it greatly has reduced the 
dependence on braking systems, thus the amount of 
wear and tear on the brakes as well as the size of 
brakes necessary on the vehicle [Sauter (1999)] are 
reduced. 

The following table shows the evolution of vehicle 
stability control systems over the past 25 years, the way 
how each system was built based upon the previous 
one by indicating shared components and how each 
system differs by listing the additional components that 
enable the next evolution in vehicle stability. 

Bosch took vehicle stability from preventing skidding 
while braking to stabilizing the vehicle on slippery 
roads. Vehicle stability technology will continue to 
move forward with more developments in automotive 
electronics. 
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Technology 

Year 

Past Components 

New Components 

ABS - Anti-Lock 
Braking System 

1978 

Disc Brakes 

Hydraulic Modulator, 
ECU, wheel speed 
sensors 

TCS - Traction 
Control System 

1987 

Disc Brakes, 
ECU, wheel 
speed sensors 

Engine ECU 

ESP - Electronic 
Stability Control 

1995 

Disc Brakes, 
ECU, Engine 
ECU, Wheel 
Speed Sensors 

Yaw Rate sensor, Lat. 
Accel. Sensor, Steering 
Angle Sensor 


FIG. 1 VEHICLE STABILITY TIMELINE ["BOSCH BRAKING 

systems", http://www.boschautoparts.co.uk] 


Vehicle Stability Manufacturers 

There are four major manufacturers of vehicle stability 
control systems: Bosch, Continental-Teves, TRW, and 
Delphi. Bosch and Continental-Teves predominate the 
majority of the market share, with Delphi and TRW 
the relative latecomers developing systems only 
within the past two years ["Braking Systems", 
www.trw.com. Electric Steering Systems, www.delphi.com]. 

All four manufacturers follow a similar architecture. 
The basis for all current vehicle stability control 
systems is of course Bosch's ESP system that was 
originally introduced in 1995 [Braking and Chassis 
Systems, www.boschusa.com]. Current state of the art 
systems from all of these manufacturers all include the 
same basic components: hydraulic modulator w/ECU, 
wheel speed sensors, steering angle sensor, yaw rate 
sensor, lateral acceleration sensor, engine controller, 
transmission controller, acceleration pedal sensor, and 
brake pressure sensor. The greatest amount of 
variation in systems manufactured by different 
companies will reside in selection of the individual 
components rather than in the overall architecture. 
The following table displays the current 
manufacturers of vehicle stability systems, when they 
first entered the market, their system, and the various 
vehicle markets where their system can be found. 


Manufacturer 

Year 

System Name 

Markets 

Bosch 

1995 

ESP-Electronic 
Stability Program 

Mercedes, Lexus, 
Audi, BMW, VW 

Continental- 

Teves 

1998 

ESP-Electronic 
Stability Program 

BMW, Chrysler, 
Ford, Jaguar, 
Nissan, Toyota 

Delphi 

2002 

TRAXXAR 

Cadillac, GM Vans 

TRW 

2002 

VSES- Vehicle Stability 
Enhancement System 

Cadillac Escalade 


FIG. 2 VEHICLE STABILITY MANUFACTURERS [BRAKE-BY- 
WIRE TECHNOLOGIES, WWW.CONTI-ONLINE.COM, BRAKING 
AND CHASSIS SYSTEMS, WWW.BOSCHUSA.COM, "BRAKING 
SYSTEMS", WWW.TRW.COM, ELECTRIC STEERING SYSTEMS, 
WWW.DELPHI.COM] 


Components of ESP 

A vehicle stability program requires the interaction of 
several electronic modules, sensors, and actuators. The 
most fundamental piece of the ESP system is the ECU 
or Electronic Control Unit. The figure below shows an 
ESP ECU from Bosch with a built-in hydraulic 
modulator for brake activation. Early versions of ESP 
used an ECU that is separated from the hydraulic 
modulator, but in an effort to reduce weight, size, and 
cost, an ECU was developed using hybrid ceramic 
substrates much smaller in size than earlier ECU's. 
Using ceramic substrates has also greatly improved 
the ECU's thermal robustness and overall lifetime 
[Van Zanten et al. (1998)]. 



1 


FIG. 3 ESP HYDRAULIC MODULATOR WITH ADD-ON ECU 
[Braking and Chassis Systems, www.boschusa.com] 

The ECU is the "brains" of the vehicle stability system. 
The ECU is responsible for gathering data from the 
sensors and using that data to calculate any adjustments 
that need to be made to the brake pressure or engine 
torque. A more detailed explanation of system 
operation will be given later. 

A common design for current state of the art ESP 
ECU's is a dual microprocessor layout. A typical 
microprocessor used in ECU's of this type is the Intel 
8XC196JT [Van Zanten et al. (1998)] specifically 
designed for automotive applications that is an 8-bit 
microprocessor with 256 kilobytes of ROM and 8 
kilobytes of RAM and has PWM outputs (pulse width 
modulation), A/D inputs on operating range from -40 
to 125°C [www.intel.com/design/auto/chassis.htm]. 
The chip also has a built-in watch dog timer to reset 
the device in the case of software or hardware failure 
["The TTP Protocols", http://www.vmars.tuwien.ac.at/ 
projects/ttp/ttpmain.html]. Such fault tolerance 
protection is extremely critical in a system such as ESP. 
ESP that is a hard real-time system and system faults 
or failures are not acceptable. The results could be 
catastrophic in the event of a system failure. 
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FIG. 4 ECU LAYOUT WITH DUAL 8XC196JT MICROPROCESSORS 
[Van Zanten et al. (1998)] 

The vehicle stability system also requires the use of 
many different sensors in order to determine the 
actual state of the vehicle as well as the desired state of 
the vehicle based upon the driver's input. 

To determine the speed of the vehicle and the amount 
of pressure applied to each wheel, the system uses 
wheel speed sensors. The information from the wheel 
speed sensors is used to calculate the actual vehicle 
speed as well as the amount of slip that each wheel is 
experiencing. The amount of tire slip is calculated by 
comparing the speed of the wheel with the actual 
vehicle speed. Tire Slip = wheel speed-actual vehicle 
speed [Van Zanten et al. (1999)]. The actual vehicle 
speed is determined by assessment on the speed of a 
non-driven wheel. 



FIG. 5 WHEEL SPEED SENSOR [Braking and Chassis Systems, 
www.boschusa.com] 

The system also needs to be capable of monitoring the 
desired motion of the vehicle from the driver's input. 
To measure the driver's input, a steering angle sensor 
and acceleration pedal sensor are used. The steering 
angle sensor is mounted behind the steering wheel on 
top of the steering column and measures the position 
of the steering wheel. There is also a sensor for the 
acceleration pedal to measure the desired speed/ 
acceleration of the vehicle. See Fig. 3 below. 



FIG. 6 STEERING ANGLE SENSOR [BRAKING AND CHASSIS 
SYSTEMS, WWW.BOSCHUSA.COM] 


A fundamental development in automotive electronics 
that facilitate the creation of ESP is the ability to 
measure the vehicle's rotation around a vertical axis. 
Imagine a pole going through the top of the car down 
to the road. Now imagine the car spinning around this 
pole: the amount of rotation is the yaw of the vehicle. 
The ECU uses the data from the yaw rate sensor to 
determine if the vehicle rotates too much: over-steer 
condition, or if the vehicle does not rotates enough: 
under-steer condition. The yaw rate sensor is based 
upon a vibrating cylinder-gyrometer. The metal 
cylinder is vibrated at a constant frequency. Nodes are 
displaced depending on amount of vehicle rotation 
due to the Coriolis Effect. A typical yaw rate sensor is 
pictured below. 



FIG. 7 YAW-RATE SENSOR [BRAKING AND CHASSIS 
SYSTEMS, WWW.BOSCHUSA.COM] 

In addition to the sensors described previously, vehicle 
stability systems also employ lateral acceleration sensors 
and brake pressure sensors. 

The following picture shows the layout of the various 
ESP components and sensors in a vehicle. 



FIG. 8 ESP SYSTEM ON CAN NETWORK 


CAN Network 

The electronic components in ESP are communicated 
using a CAN network. CAN, a secure, high speed 
serial communication standard, developed by BOSCH 
in the mid 1980's and became a worldwide standard in 
the early 1990's, is a very cost effective and robust 
network [CAN networking, www.can.bosch.com]. 
Currently, CAN is the most widely used standard for 
networking in automotive applications. Because CAN 
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is used in so many automotive applications, systems 
such as ESP are able to interact with other on-board 
vehicle systems using CAN such as engine and 
transmission controllers. 

CAN is faster than earlier serial communication protocols 
in the automotive industry such as J1850. High speed 
CAN is able to reach transfer speeds in the 500kbytes - 
1 Mbyte/s range. Such high data speeds make CAN an 
excellent choice for safety critical systems such as ESP. 

CAN uses an event triggered protocol. The system will 
experience peak loads when transmission of multiple 
messages is requested at the same time. CAN utilizes 
non-destructive arbitration— all messages will eventually 
be transmitted. Because CAN uses a non-destructive 
arbitration, the system must have sufficient processing 
power to meet all transmission deadlines during peak 
loads [CAN networking, www.can.bosch.com]. This is 
especially critical for hard real-time systems such as 
ESP, because any missed deadline during peak bus 
loads would result in complete system failure. 

The order of transmission when multiple messages are 
sent is based upon a pre-defined priority. This method 
of transmission leads to one significant drawback 
during peak bus loads: unpredictable latency. Because 
there is no specific piece of transmission time set aside 
for each message, lower priority messages must keep 
until all higher priority messages have been sent 
before they are given control of the bus. Depending on 
the amount of load on the bus, some lower priority 
messages may have to keep a couple of seconds before 
transmitting. Because of this unpredictable latency, it 
is imperative for hard real-time systems like ESP that a 
scheduling analysis of the whole system has to be 
done to ensure that all transmission deadlines are met 
even at peak bus loads [CAN networking, 
www.can.bosch.com]. This means that special care 
should be taken when a microprocessor for ESP is 
selected. The processor should have plenty of spare 
capacity even during peak load times to make sure 
there are no delays for system critical messages. 

System Operation 

ESP works to prevent a vehicle from skidding out of 
control. Every 40 ms the ESP system evaluates where 
the driver is steering the vehicle and where the vehicle 
is actually going. When vehicle instability is imminent 
due to over-steering or under-steering, the ESP system 
reacts by selectively breaking the wheels individually 


and managing the engine output. By controlling the 
amount of slip at each wheel and the amount of torque 
produced by the engine, ESP is able to stabilize the 
vehicle giving the driver control of the vehicle in 
critical situations [Braking and Chassis Systems, 
www.boschusa.com] . 



□VEKETHHft L'NIKMHbkH 

FIG. 9 OVER STEER AND UNDER STEER OF A VEHICLE 

During a right hand turn, if the system detects an 
over-steer condition, it will apply brake pressure to the 
left front wheel. If the system detects an under-steer 
condition, then it will apply pressure to the right rear 
wheel [Van Zanten et al. (1999)]. ESP helps the driver 
to avoid serious accidents caused by skidding or 
swerving. 

In addition to controlling the vehicle by applying brake 
pressure, the ESP system also interacts with the engine 
management system by communicating with the engine 
control unit. The engine controller is also an embedded 
system that is responsible for such tasks as fuel injection, 
spark timing, throttle control and air/fuel ratio. By 
sending control signals to the engine controller, ESP is 
able to adjust the amount of torque applied to the 
wheels. Even though the driver is fully depressing the 
accelerator, ESP may decide that a reduction in wheel 
torque is necessary to stabilize the vehicle. 



FIG. 10 ON-BOARD ENGINE CONTROLLER [ELECTRIC 
STEERING SYSTEMS, WWW.DELPHI.COM] 

Real-Time System Issues 

At its most basic level, a system is one or more inputs 
entering a device and one or more outputs leaving a 
device. In the case of ESP, the approximate number of 
inputs is 11: 
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1. Brake Master Cylinder Pressure 

2. Brake Light Signal 

3. Lateral Acceleration 

4. Wheel Speed (4) 

5. Yaw Rate 

6. Park Brake Switch 

7. Steering Wheel Angle 

8. ESP On/Off Switch 

9. Brake Fluid Level 

10. Accel. Pedal Position 

11. T r ansmission Status 


The ESP system uses the input information to 
determines the current state and desired state (driver 
input) of the vehicle. From these inputs, the system 
will generate a set of primary output signals to adjust 
the state of the vehicle: 

1. Hydraulic Control (brakes) 

a. self-priming recirc pump 

b. precharge pump 

c. inlet valve 

d. outlet valve 

e. pressure limiting EM valve 

f . high pressure suction valve 

g. accumulator 

2. Engine Management Signals 

a. spark timing 

b. throttle control 

c. fuel injection 

3. Transmission Management 

4. Driver Information Signals 


Actuating Signals 
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FIG. 11 ESP I/O DIAGRAM [VAN ZANTEN ET AL. (1998)] 

The ESP controller calculates the signals for up to 21 
actuators (12 valves, pump motor, engine and 
transmission controls, 3 driver information lamps, 
buzzer, and ON/OFF switch for ESP) which modify 


the tire forces or inform the driver. In the event of a 
failure, the ESP system may use these actuators 
improperly; therefore the system should be designed 
to avoid such malfunctions [Van Zanten et al. (1999)]. 

ESP uses both a polling and interrupt driven I/O 
method. The polling occurs every 40 ms as the system 
collects data from all of the sensors and modules. 
These tasks are quietly running in the background 
completely imperceptible to the driver. The main ECU 
is also constantly monitoring individual system 
components for faults and failures. Aside from 
collecting data from the sensors, the system is 
primarily interrupt driven. When a critical situation 
occurs, the system immediately takes action regardless 
of what time-based task takes place. The time-based 
tasks are suspended until all critical service routines 
are completed. 

ESP is truly an embedded system with almost no input 
from the user. There is no keyboard or mouse or 
monitor. The only controllable interface that the driver 
has is the ESP on/off switch. Additional user interfaces 
would include the ESP signal in the cluster to alert the 
driver that the system is active or that there is an error 
with the system. 

ESP is a complex system working under very stringent 
timing requirements. Every 40 ms the system must 
sample the input signals and determine the current 
state of the vehicle. In those instances when the system 
detects a critical condition, it will begin to respond 
before the driver is even aware of that the vehicle is 
steering out of control. Time is of the utmost 
importance, because any delay in the system's 
response could have disastrous consequences for the 
driver. When driving at highway speeds under icy or 
wet conditions, a tenth of a second could mean the 
difference between slamming into a guardrail and 
safely staying in your lane. 

ESP should be classified as a hard real-time system. 
The system must meet strict timing requirements 
during operation. The principle value of ESP is its 
ability to react and stabilize the vehicle faster than 
human being. Some state of the art ESP systems is able 
to activate at a rate of 150 times/sec or every 7ms. This 
is far better than the fastest human response of 300 ms 
[Braking and Chassis Systems, www.boschusa.com]. In 
most cases, ESP identifies the critical situation and 
reacts before the driver is even aware of that the 
vehicle is out of control [Braking and Chassis Systems, 
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www.boschusa.com]. If the system were to consistently 
miss its timing deadlines, then there would be no use 
for such a system. 

If the ESP system fails to meet a timing deadline, then 
the system has failed entirely. The system's inability 
to meet response time requirements could have 
disastrous consequences for both the driver of the 
vehicle and other drivers on the road. In some 
instances, failing to meet timing deadlines could result 
in death or serious injury to vehicle occupants. 
Because of this, ESP is a hard real-time system, and 
special precautions must be taken during system 
designed to ensure the system's ability to meet 
response time requirements. 

Control Structure 

The flow of control for ESP begins with the driver's 
input and current vehicle status. The following data is 
gathered from the sensors and sent to the ECU: 
steering angle, yaw rate, wheel speed, lateral 
acceleration, acceleration pedal pressure, brake pedal 
pressure, brake fluid pressure, and engine 
management information. From this information, the 
ECU calculates the actual motion of the vehicle. In 
addition to calculating the actual motion of the vehicle, 
the ECU must also determine the nominal or desired 
motion of the vehicle. The nominal motion of the 
vehicle is calculated primarily based on driver input 
information: steering angle sensor, throttle position 
sensor, brake pedal sensor. The nominal motion is 
where the driver would "want" the vehicle to go were 
it not for the environmental conditions such as a 
slippery road causing the vehicle to steer out of control. 

The ESP controller compares the nominal values for 
vehicle motion with the actual values for vehicle 
motion. Once the difference in these two values is 
determined, the ESP controller determines the 
corrections in the tire slip values that are necessary to 
achieve the nominal value for vehicle motion [Van 
Zanten et al. (1999)]. The overall control of the vehicle 
is based upon the slip values for all four wheels. Tire 
slip is the difference between the speed of the tire and 
the actual speed of the vehicle. If the tire is spinning 
faster than the vehicle that is moving, then the tire 
experiences slip. 

The corrections in the tire slip values are then sent to 
an internal module of the ESP controller. This module 
is called the slip controller. Based upon the corrections 


in the tire slip values that need to be made, the slip 
controller will then determine the control signals that 
need to be sent to the system's actuators (valves, 
pumps, etc) in order to achieve the desired tire slip 
values [Van Zanten et al. (1999)]. The slip controller 
sends these control signals to the various actuators to 
change the motion of the tires. Below is the flow of 
control data for the slip controller. 
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FIG. 12 SLIP CONTROLLER DATA FLOW [VAN ZANTEN ET AL. 
(1999)] 


Control of ESP operates under a dual feedback loop 
system. There is an outer control loop and an inner 
control loop. The outer feedback loop calculates 
corrections in the nominal slip values of the tires from 
the difference between the nominal and actual motion 
of the vehicle. These corrections are sent to the inner 
feedback loop which derives the control signals for the 
actuators to adjust the tire slip to the nominal values 
[Van Zanten et al. (1999)]. 



FIG. 13 DUAL LOOP CONTROL CONCEPT [VAN ZANTEN ET AL. 

(1999)] 

Pictured below is the fundamental control task for the 
ESP system. The vehicle is the plant. The sensors 
transmit information to determine both the nominal 
and actual behavior of the vehicle. By comparing the 
actual behavior with nominal behavior of the vehicle 
corrections to the tire, slip values can be determined. 
Actuator control signals derived from the tire slip 
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values are sent to the various actuators in the vehicle 
to initiate brake and engine interventions [Van Zanten 
et al. (1999)]. 
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FIG. 14 FUNDAMENTAL CONTROL TASK [VAN ZANTEN ET AL. 

(1999)] 

Safety and Robustness 

There are several key safety issues that play an 
important role in the design and evaluation in a hard 
real-time system like ESP. One of the most important 
issues is integration and validation of the system 
components: sensors, ECU, hydraulic components. 
Oftentimes, the components are manufactured by 
various suppliers and may have proprietary interfaces 
or internal software that must be adapted to work 
with other components. Some of the electronic 
modules are not designed for ESP applications. Their 
operations must be validated and their interfaces have 
to be adapted to the ESP system [Van Zanten et al. 
(1999)]. 

As true with any system made of various modules, 
ESP is only as good as its weakest component. For this 
reason, each component must be tested and verified to 
make sure that it meets the strict safety and timing 
requirements for an ESP system. 

Another challenge faced by suppliers of ESP systems 
is vehicle variation. Since driving characteristics and 
other components can vary greatly from vehicle to 
vehicle, ESP will have to be reconfigured and 
validated for each vehicle. 

There are two types of system shutdowns that can be 
used for ESP: soft or hard [Van Zanten et al. (1999)]. 
The system must be able to evaluate the 
appropriateness of the type of shutdown to be used. In 
the event that the vehicle is driven at highway speeds, 
a hard shutdown should be avoided if possible. On 
the other hand, if the system detects a severe failure 
while the vehicle is stopped then a hard shutdown 
may be used in the form of limp-home or walk-home. 


Limp-home mode utilizes the engine management 
system to restrict the vehicle's speed below 20mph. 
This is one advantage of ESP and the engine 
management system sharing the same vehicle network. 

When the system determines that a system failure is 
severe enough and that the driver's safety is in danger 
then it would create a walk-home condition, another 
hard shutdown. Using the engine management system, 
ESP would prevent the engine from starting entirely, 
forcing the driver to "walk home." Such a system 
shutdown would only be used in the worst case 
scenario. 

In addition, because failure of the ESP system could 
have such disastrous consequences steps have been 
taken to ensure partial functionality of the ESP system 
even when failure occurs. This would be a soft system 
shutdown. Instead of completely switching off the 
system in the event of a failure, certain key elements 
like ABS will remain functioning. For example, if the 
system discovers a failure in the engine management 
interface, then that portion of the system would be 
suspended and the system would only operate during 
braking [Van Zanten et al. (1999)]. Such steps have 
been taken to increase the system's robustness and 
fault tolerance. 

As with any system like ESP, a thorough Design 
Failure Mode and Effects Analysis (DFMEA) should 
be completed during system design and testing. This 
would allow for built-in corrective measures based on 
the analysis of potential problems resulting from 
failures [Van Zanten et al. (1999)]. 

One important feature found in the ESP software is 
model-based sensor monitoring. This type of sensor 
monitoring is able to detect failures that are only 
slightly out of specification. Model-based sensor 
monitoring operates by comparing the actual output 
of the sensor with a predicted output calculated by a 
software model [Van Zanten et al. (1999)]. The 
software tracks the history of the sensor's output and 
determines the possibility of current readings based 
upon a model. Once the controller has detected a 
sensor that operates out of spec, then the controller is 
able to decrease its own level of sensitivity to that 
sensor. In other words, when a sensor is under 
suspicion of failure, the system's magnitude of 
response to that sensor may decrease dramatically 
[Van Zanten et al. (1999)]. 
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FIG. 15 MODEL-BASED SENSOR MONITORING DIAGRAM [VAN 
ZANTEN ET AL. (1999)] 

These are just some of the techniques used by 
engineers and designers to increase the safety and 
reliability of vehicle stability control systems. 

Future Trends in ESP 

As long as the number of embedded systems in 
automotive applications continues to grow so will the 
possibilities of ESP or vehicle stability. With every 
vehicle system or function that replaces mechanical 
control with electronic control, ESP has another 
opportunity to increase its capability and performance. 
The future of ESP will be dictated by advances in 
embedded systems for other automotive applications. 

Two of the most significant advancements that will 
affect the future of ESP are the development of steer- 
by-wire and brake-by-wire systems. Removal of the 
mechanical element from steering and braking would 
allow ESP to have full control over braking and 
steering during a critical situation. 

Brake-By-Wire 

True brake-by-wire is also referred to as EMB, or 
electro-mechanical brake. Another form of brake-by- 
wire is electro-hydraulic brake, but this system uses 
traditional methods to apply pressure to the brakes via 
fluid. For this discussion EMB will be the focus when 
referring to brake-by-wire. 

EMB eliminates brake fluid and hydraulic lines 
entirely. The braking force is generated directly at each 
wheel by high performance electric motors. These 
motors are controlled by a central ECU and activated 
by electrical signals sent from the ECU in response to 
the electronic pedal module [Brake-By-Wire 
Technologies, www.conti-online.com]. Below is the 
brake-by-wire system architecture with the 4 brake 
actuators on a dual TTP bus. 



FIG. 16 EMB SYSTEM ARCHITECTURE [HEDENETZ & 
BELSCHNER (1998)] 

EMB is a hard real-time system. Any kind of system 
delay or failure could have disastrous, in some cases 
fatal results for the driver of the vehicle. Without room 
for error during system operation, special care must be 
taken during system design to ensure robustness and 
reliability under all conditions. 

There is no physical connection between the brake 
pedal and the brakes. This mechanical connection has 
been replaced by an electronic signal sent over a bus. 
Without physical connection to the brakes, an 
electronic actuator must be placed on the brake pedal 
to simulate the mechanical feedback to the driver. 
Consumers would never accept a braking system that 
lacks the normal 'Teel" associated with braking. 
Because braking is such a safety critical system, this 
kind of brake-by-wire system would have to use a 
fault tolerant bus such as TTP protocol [Hedenetz & 
Belschner (1998)]. 

TTP is a time triggered protocol specifically designed 
for Class C automotive applications in which any kind 
of system failure could result in death or injury to the 
driver. The network consists of sets of redundant 
ECU's within each module on the bus. TTP is an ideal 
choice for hard real-time systems like brake-by-wire 
that cannot tolerate a single point of failure within the 
network. The diagram below shows the fault tolerant 
units (FTU) that are made of two or more separate 
ECU's to ensure continued system operation even if 
one of the ECU's within the FTU were to fail. In 
addition, TTP operates using a TDMA (time division 
multiple access) principle. Each module has its own 
TDMA slot where it controls the entire capacity of the 
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network [Microcontroller Family User ? s Manual 
(1995)]. 



TTP Elk- 


fig. 17 2 FTU'S ON TTP BUS [HEDENETZ & BELSCHNER (1998)] 

True brake-by-wire on a vehicle would allow a system 
such as ESP even greater control of the vehicle during 
operation. ESP would no longer be constrained by the 
physical limitations of hydraulic braking. There 
would be almost no time delay waiting for fluid 
pressure to build up when ESP activates. This 
shortened response time is extremely valuable for a 
hard real-time system like ESP. The fraction of a 
second that traditional brakes require to begin 
activation means the difference between staying on an 
icy road and ending up in a ditch. 

Because EMB is on the vehicle bus and supports 
communication protocols such as CAN, this would 
allow for much easier integration with other vehicle 
systems such as ESP ["Electromechanical Braking 
(EMB)", www.freescale.com]. The ESP and EMB 
controller could be integrated into a single module 
thus eliminating data EMB would greatly improve the 
performance of ESP. Integrating EMB into a vehicle 
stability system would decrease response times, 
decrease braking distances, eliminate mechanical 
braking anomalies, improve system communication 
and overall system performance. As the number of 
embedded systems in the vehicle increases, so do the 
possibilities for total vehicle control. 

EMB takes one more element of vehicle control away 
from the driver and gives that control to a computer. 
There are risks associated with moving automobile 
safety in this direction. Drivers will place more and 
more their trust in embedded systems and rely less 
and less on their own driving ability. Such issues must 
be considered when future automotive electronics are 


designed and developed. 

Steer-By-Wire 

Steer-by-wire eliminates the mechanical connection 
between the driver and the vehicle's front tires. The 
traditional steering elements are replaced by two 
actuators positioned in the vehicle's front corners. 
These actuators receive input from the control module 
and turn the front wheels per the control module's 
instructions. The system also uses an electric motor to 
provide road feedback to the steering wheel [Electric 
Steering Systems, www.delphi.com]. 



FIG. 18 STEER-BY-WIRE [BRAKE-BY-WIRE TECHNOLOGIES, 
WWW.CONTI-ONLINE.COM] 

A true steer-by-wire system offers many advantages 
over traditional mechanical steering systems. A steer- 
by-wire has fewer mechanical elements thus reducing 
vehicle mass and improving fuel economy. Reducing 
the number of hardware components also simplifies 
vehicle assembly, improves packaging flexibility and 
system reliability [Electric Steering Systems, 
www.delphi.com]. Fewer components improve 
reliability because there is less chance of system failure 
due to component failure. Steer-by-wire also improves 
steering capability in the front wheels resulting in a 
tighter turning radius [Electric Steering Systems, 
www.delphi.com]. Steer-by-wire is an embedded 
system with access to the vehicle network thus 
allowing easier integration with other vehicle systems 
such as ESP. 

A steer-by-wire system can be subdivided into three 
major subsystems: a controller subsystem, a driver 
interface subsystem, and a road wheel subsystem 
[Kaufmann et al. (2001)]. The figure below depicts the 
three subsystems of steer-by-wire. 
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FIG. 19 STEER-BY-WIRE CONCEPTUAL DESIGN [KAUFMANN 
ET AL. (2001)] 

The hand-wheel subsystem provides torque feedback 
to the driver and position information to the controller 
based upon the driver's desire position of the steering 
wheel [Kaufmann et al. (2001)]. The subsystem 
contains torque sensors and position sensors to 
measure the force with which the driver turns the 
wheel and the angle that the driver turns the wheel. In 
addition, there is a motor mechanism that provides 
feedback to the driver to simulate the traditional "feel" 
of mechanical steering. The torque feedback system is 
necessary for drivers to accept the steer-by-wire 
system. If there is mechanical feedback coming 
through the steering wheel, drivers would believe that 
the car fails to function properly. The torque feedback 
device is necessary to make steer-by-wire a 
commercially viable automotive system. 



FIG. 20 HAND- WHEEL SUBSYSTEM [KAUFMANN ET AL. (2001)] 

The road-wheel subsystem positions the wheels 
according to input provided by the driver via the 
hand- wheel subsystem. The input is processed by the 
controller subsystem. The road-wheel subsystem is 
also responsible for providing road force information 
back to the controller subsystem to be used in 
synthesizing torque feedback to the driver. The 
controller subsystem calculates the desired hand- 


wheel torque and road-wheel position inputs for the 
other subsystems [Kaufmann et al. (2001)]. 

RoadWheel 


FIG. 21 ROAD- WHEEL SUBSYSTEM [KAUFMANN ET AL. (2001)] 

As with brake-by-wire systems discussed previously, 
steer-by-wire is a safety critical system. Special 
measures must be taken to ensure the system's 
robustness and reliability under all conditions. Efforts 
are made to avoid design errors, limit complexity, 
avoid common mode failures, continuous 
maintenance of an acceptable state and support fault- 
tolerant operation [Kaufmann et al. (2001)]. While 
steer-by-wire is able to offer much benefit and 
improve performance, because of its design, it also 
increases the level of risk for system failure. 

Steer-by-wire could be classified as a hard real-time 
system. Ability to meet response time requirements is 
critical for a system such as steer-by-wire. There is no 
backup system to steer the vehicle in the event that the 
road- wheel actuators are to fail [Kaufmann et al. 
(2001)]. The system must be designed to be fault 
tolerant, because any kind of system delay or failure 
would has disastrous results for the driver. 

Steer-by-wire offers much benefit for vehicle stability 
systems such as ESP. Steering control could be 
integrated into the ESP system and would remove 
driver interference during critical situations. 
Currently drivers are able to "out-steer" the stabilizing 
ability of the ESP system. In critical situations, a driver 
might panic and steer the vehicle into an 
uncontrollable state. ESP is a very effective system, 
but there are limits to its ability to stabilize the vehicle. 
Ultimately, ESP cannot defy the laws of physics or a 
driver determined to steer the vehicle out of control. 
Having steer-by-wire adds an additional level of 
control over the vehicle stability system. No longer 
dependent upon a driver's decision during a critical 
situation with steer-by-wire, ESP could have total 
control of the vehicle. ESP would now have the added 
benefit of controlling the direction and position of the 
road wheels. Steer-by-wire also opens the possibility 
of steering each wheel independently if necessary for 
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the ESP system. 

Steer-by-wire would greatly improve the performance 
of ESP. It is another element of vehicle control that 
could be integrated into ESP. Just like brake-by-wire, 
steer-by-wire is another example of by-wire systems 
increasing the performance and possibilities of vehicle 
stability systems like ESP. 

With steer-by-wire, there are certain risks associated 
with replacing hard mechanical systems with 
computer controlled networks. As with brake-by-wire, 
there are critical issues that must be addressed when 
an element of vehicle control is taken away from the 
driver and given over to a computer system. While 
this transition of control offers almost unlimited 
potential in terms of safety and control, it also raises 
concerns on driver responsibility. If a car were to get 
into an accident, which would be at fault: the driver of 
the vehicle or the steer-by-wire system manufacturer. 
Such issues must be weighed carefully when systems 
like steer-by-wire are designed and implemented. 

Recent advances in dependable embedded system 
technology, as well as continuing demand for improved 
handling and passive and active safety improvements, 
have led vehicle manufacturers and suppliers to 
actively pursue development in computer-controlled 
by- wire subsystems [Kaufmann et al. (2001)]. Every 
step of advancement in by-wire subsystems such as 
brake-by-wire and steer-by-wire is another step 
towards the development of improved vehicle stability 
systems. As more and more traditionally mechanical 
vehicle systems are converted to electronic systems, 
the ability to integrate these systems with ESP 
increases. ESP will soon have the ability to completely 
control many traditionally mechanical systems like 
steering and braking. This control will increase the 
performance and capability of ESP. 

Advantages and Disadvantages 

ESP offering much benefit to vehicle performance and 
safety, greatly improves a car's ability to steer on icy 
or slippery roads and also prevents a vehicle from 
spinning out of control during critical situations, 
furthermore, it is able to minimize the adverse effects 
of driving on slippery roads, as well as to recognize 
when the driver is no longer able to safely control the 
vehicle and assists in stabilizing the vehicle. When 
used properly, ESP is capable to assist the driver in 
avoiding accidents. A driver is immune to helplessness 


when veering off the road on a rainy or icy day. When 
a driver feels that they have lost control over the 
vehicle, ESP is able to react with brake and engine 
intervention at a rate over ten times faster than human 
being. When ESP is viewed as mechanism to assist 
driver's in critical situation, then it is very beneficial 
and greatly improves vehicle safety. 

While ESP offers drivers much safety and performance 
benefit, it is important that drivers are aware of the 
limitations of systems like ESP. The most important 
rule to remember is that ESP cannot defy the laws of 
physics. The driver of any vehicle with ESP must keep 
in mind that there are physical limitations to ESP's 
ability to stabilize the vehicle. If a driver is going 100 
mph and suddenly performs a 90° turn into the 
guardrail, then ESP may not be able to stabilize the 
vehicle. It is important for drivers to be aware that ESP 
will not be able to stabilize the vehicle in all situations. 
Having a vehicle with ESP may give some drivers a 
false sense of security about their car's ability to 
handle inclement condition. In no way is ESP a license 
to drive recklessly in inclement conditions. This is one 
potential drawback to ESP. 

An additional issue that must be considered with a 
system like ESP is driver responsibility. As more and 
more electronic systems replace traditionally 
mechanical systems, an increasing amount of vehicle 
control is being given over to embedded systems. 
While this offers many safety and performance 
benefits, it also creates a potential hazard. Consumers 
might become less responsible for their driving and 
will simply assume that their car will "save." This is a 
very dangerous trend and all efforts should be made 
by manufacturers and dealers to reinforce the notion 
that such systems are simply meant to assist the driver. 
They were never intended to replace the function of 
the driver. Control of the vehicle is ultimately the 
responsibility of the driver. It is important that consumers 
be informed of the capabilities and limitations of 
systems like ESP to avoid potentially fatal incidents. 

These are some of the positive and negative issues 
surrounding the development of vehicle safety 
systems like ESP. 

Conclusion 

The use of embedded systems in automotive 
applications has made possible current state of the art 
safety systems like ESP. ESP uses high tech sensors. 
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actuators, and microprocessors to provide vehicle 
stability in adverse driving conditions. Originally 
introduced by Bosch in 1995, ESP continues to grow 
both in use and performance. As automotive suppliers 
continue to find new ways to replace existing 
mechanical systems with purely electronic ones, the 
capability of ESP will continue to improve. At the 
same time, automotive suppliers and manufacturers 
must carefully way the benefits of such technologies 
against the inherent risks of computer controlled 
systems. Perhaps the greatest service that suppliers 
and manufacturers can perform is to inform 
consumers of the capabilities and limitations of these 
systems. These systems will only be effective if drivers 
are properly informed on how to use them. 
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